Making the Security Case to the C-Suite
Perhaps the most significant security advancement made at the enterprise level over the last two decades has not been technology, but rather its perception. While shiny new technology devices never fail to grab the attention of management, making the security case for purchasing them is another matter. Now that the security function is considered a key aspect of business operations in many organizations, it becomes critical to keep the C-Suite engaged.
As this current COVID-19 pandemic has illustrated, organizations that fail to properly gauge potential threats and risks to their operations can quickly fall into the abyss. Having a risk plan that challenges C-Suite executives to look beyond the technology aspects of security to a proactive situational awareness posture is a big step forward. When management reinforces and supports such proactive steps to employees and staff, it strengthens that organization and helps it to be flexible while meeting any challenge.
Make the Business Case
But how is that proactive posture achieved?
Any security program that has managed to embed its value into the organizational infrastructure has done so with a robust program of awareness and transparency. While it is a constant battle to foster a higher awareness of the real need for additional technology and security products, providing the C-Suite a transparent argument for systems expansion and additional capital spending can be difficult. Selling risk is hard.
Security directors who assume that focusing on technology in their relations with other business units and using fear tactics to try to force compliance are missing a big opportunity to convince the C-suite of security's importance. The C-Suite will recognize a security team as relevant if it is adept at managing risks to revenue streams, operations and the brand.
Although many successful security executives may have helped C-level executives move past the lament of security being nothing more than a cost center, they should continue to stress actual returns-on-investments when it comes to technology. As one global CTO, Rudy Wolter, said to me, “Senior management understands the numbers. They may not connect numbers to risk, and that is up to you to show. You have to prove ‘risk versus reward’; if they do not see the risk – and it has to be real – the C-suite will believe you are overstating the facts and you lose credibility.”
Here’s an example of describing the ROI to the C-Suite: once an intruder gets into a facility via tailgating there’s a whole world of risk and liability that opens up, ranging from theft to violence, as well as bad PR, lawsuits and regulatory fines. Security entrances can mitigate that risk of intrusion by dealing with tailgating from a deter, detect or prevent standpoint…in the end reducing the manpower needed to supervise the entry, creating a payback on the capital expenditure. These very specific features and benefits can communicate the ROI story to upper management.
Another approach to influencing the C-Suite is proposed by Paul Schuster, Senior Corporal/Project Officer, Facilities Management at the Dallas Police Department: start at the bottom and work the culture. “By making sure all employees are educated about security, you make them a part of the solution. You can expand beyond basic training to help them understand the need to limit the organization’s liability, as well as the reasoning behind implementing the technology for security layers including cameras, guards and security entrances. This will improve their engagement and increase the success of adoption. When your staff has a better understanding of these needs, the awareness will filter up through executive management to the C-Suite as well.”
The cold truth is that most C-Suite executives are not concerned about the technical profile of that new biometric reader or camera system. Management must understand the risk mitigation case of that device and how security promotes the organization’s bottom line and corporate culture. That is why it is key that security leaders understand and emphasize when new technology is low-stress and does not unduly impact staff routines. When communicating with the C-Suite, security must communicate both the costs and the benefits at the organizational level to build support.